Comments (3)
Hey @0xC0FFEEEE,
Was this working before and suddenly changed?
from splunk-apps.
I believe this has always been the case, our Obs team has been trying to get to the bottom of this since the integration was originally set up and have had an ongoing case raised with Splunk on this issue.
My fix for this is a bit hacky, I've cloned the sourcetype and set the following:
LINE_BREAKER: \}\}()
TRUNCATE: 999999
For reference the installed version on our Splunk cloud environment is currently v8.1.0
from splunk-apps.
I've identified another issue which is impacting the ability to perform field extractions and normalization. similar to #325. This could be due to the events being sent to the incorrect HTTP endpoint (as there are several to choose from in the Splunk dev docs covering HTTP inputs).
What should happen is that the top level key/value pairs in the JSON sent to Splunk should be interpreted as internal fields (.e.g. host, source, time), and the nested JSON under the event key interpreted as the actual event and displayed accordingly.
What is actually happening is the following, the Palo event data lives under the event key at the top level and therefore all of the Palo knowledge objects are not being applied as the fields are extracted as event.<field_name>.
Example of a correctly interpreted event sent to the https://http-inputs.splunkcloud.com/services/collector/event
endpoint. Note that the JSON displayed is the nested JSON from the top level event key, this was sent to the HTTP input endpoint as follows:
{
"event": {"Accept":"*/*","Accept-Encoding":"gzip,deflate,br","Accept-Language":"en-GB,en; q=0.5", <snip>},
"source": "mysource",
"host": "myhost"
}
And is interpreted and displayed like this:
from splunk-apps.
Related Issues (20)
- Incorrect Field Mapping - PAN Threat - User Field (mapped with http category - Sender) HOT 3
- App is not parsing the URI to create interesting fields HOT 1
- Where are the release notes for 8.1.0? HOT 5
- field offset wrong at src_user and source_name in transforms.conf HOT 2
- pan:config in default is broken
- Logs not being properly parsed when shipped from Panorama to Splunk HOT 8
- Splunk HEC PAN firewall events "_time" not matching configured "TimeGenerated" field HOT 2
- Minemeld feeds URL inputs not accepted HOT 3
- Version 8.1.0 not listed as Splunk Cloud compatible on Splunkbase HOT 5
- Splunk Cloud App Vetting Failing Due to File in "PaxHeader" Directories HOT 1
- The splunk_ta_paloalto requests package is claiming a dependency on Older chardet and urllib3 versions, please update to new versions. HOT 1
- Not getting data from Cortex
- IoT Security Input 'Interval' Not Used To Influence 'stime' All Data All The Time HOT 1
- PAN-OS Authentication Log Field Extractions
- SourceType Confusion
- Base Search in network_security.xml does not contain vendor_action so sink holing subsearch fails
- Logs have only sourcetype of pan:log HOT 1
- PA firewall logs ingested in Splunk Cloud without field extractions HOT 2
- Duplicate field names in extraction for pan:globalprotect
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from splunk-apps.